IFrame究竟可以用top.Location对象(跨域)做什么? [英] What exactly can an IFrame do with the top.Location object (cross-domain)?
问题描述
在跨域策略中有一个非常特别的关于window.top.Location对象的边缘情况...
There is a very particular edge case in cross-domain policies regarding the window.top.Location object...
假设我有IFrame A www.bbb.com,住在域名为www.aaa.com的网页内。
Let's say I have IFrame A , in domain www.bbb.com, living inside a page in domain www.aaa.com.
IFrame中的页面可以:
The page inside the IFrame can:
- 将window.top.location与window.location进行比较(以检测是否正在加框)
- 调用window.top.location.replace window.location)重定向到自己
- 调用window.top.location.replace(任意字符串)重定向到其他地方
但不能:
- 警告,Document.Write或执行任何类型的输出window.top.location.href
- 将它连接到任何其他变量,或以任何有用的方式使用
- 调用window.top.location。 reload()
这些只是我可以快速找到的。我确定还有其他边缘情况。
如果顶部在另一个域中,浏览器似乎不允许使用top.location对象,除了一些白名单的东西...
These are just the ones I could quickly find. I'm sure there are other edge cases.
It seems like the browser is not allowing the use of the top.location object if the top is in another domain, except for a few whitelisted things...
这是记录在任何地方吗?
我可以找到这些白名单的东西吗?
这是在HTML标准,并在所有浏览器中实现平等?或者是这个半随机的实现?
Is this documented anywhere?
Can I find what these whitelisted things are?
Is this in the HTML standard, and implemented equally in all browsers? Or is the implementation of this semi-random?
推荐答案
安全规则与浏览器版本不同。一般来说,较新的版本有更严格的规则,但也更精细。
The security rules does differ with the version of browser. Generally newer versions have stricter rules, but also more fine tuned.
我怀疑旧的浏览器会自由地访问顶部框架的位置对象,一个更新的浏览器将拒绝它,并且当前版本允许您比较位置对象,但不从中读取。
I suspect that older browsers would freely let you access the location object of the top frame, a little newer browsers would deny it totally, and the current versions let you compare location objects but not read from them.
您可能可以找到关于此的文档,但它将是特定的每个浏览器和特定于每个版本的浏览器。据我所知,这方面没有真正的标准。每个浏览器供应商尽可能地保护用户,同时仍然保持网站构建器的一些可用性。一般来说,你不能假设靠近边框的任何东西在所有浏览器中都有效,或者它将在以后的版本中继续工作。
You might be able find documentation about this, but it would be specific for each browser and specific for each version of the browser. As far as I know, there is no real standard for this. Each browser vendor tries to protect the user as much as possible, while still keeping some usability for the web site builder. Generally you can't really assume that anything close to the border works in all browsers, or that it will continue to work in future versions.
这篇关于IFrame究竟可以用top.Location对象(跨域)做什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
